Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers (Or Pen-Testers) Hit Credit Unions With Malware On CD

Posted by timothy on from the please-avoid-mine dept.

redsoxh8r writes "Online criminals have taken to a decidedly low-tech method for distributing the latest batch of targeted malware: mailing infected CDs to credit unions. The discs have been showing up at credit unions around the country recently, a throwback to the days when viruses and Trojans were distributed via floppy disk. The scam is elegant in its simplicity. The potential thieves are mailing letters that purport to come from the National Credit Union Administration, the federal agency that charters and insures credit unions, and including two CDs in the package. The letter is a fake fraud alert from the NCUA, instructing recipients to review the training materials contained on the discs. However, the CDs are loaded with malware rather than training programs." According to the linked article, the infected CDs were (or at least may have been) part of a penetration test, rather than an actual attack.

5 of 205 comments (clear)

  1. Windows Autorun by Anonymous Coward · · Score: 3, Insightful

    The problem here is Windows Autorun. As soon as you insert a CD, Windows checks for the presence of an "autorun.inf" file, and if it exists, it can specify a binary program on the disc to execute immediately, as whatever user is currently logged in. Thus, killing your security immediately.

    1. Re:Windows Autorun by 0123456 · · Score: 4, Insightful

      Easily disabled or dismissed.

      Uh, no; there are so many different places where autorun is configured in Windows that the average clueless user has no hope of managing to completely disable it. The whole thing is a disaster.

  2. Another scam by Orion+Blastar · · Score: 3, Insightful

    like those Emails from Microsoft with attachments that say they are operating system patches you must install to prevent a virus.

    Instead of being from @microsoft.com they are from @hotmail.com or @yahoo.com using a free throwaway webmail address.

    The attached files usually have malware in them.

    Microsoft does updates via Windows Update or Microsoft Update or via their web site in downloading patches, they never attach the patches to email.

    I also get mail saying I won the UK Microsoft lottery and other BS as well. I am keeping a "Scams" folder for that sort of stuff.

    I'd expect Credit Unions to have better sense than to run random CDs on their systems without verifying that the NCUA sent them. "What? We didn't send them to you."

    --
    Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
  3. Re:Hackers can be pen testers by rafemonkey · · Score: 5, Insightful

    Man I hear ya... It's just like all those fools calling that box on the desk a computer, when we all know a computer is actually a person who performs computations. Anyway, I gotta jump into the old horseless carriage for a spot of motoring. ;)

  4. Re:Hackers can be pen testers by Faylone · · Score: 4, Insightful

    I don't care what percentage of society is cluless in this regard even if it is 99+%. I am just proud to not be one of them. A large percentage of the populace thinks they run the best, most secure OS in the world; indeed the only one. Did they become right by way of their mass delusion?

    Considering that language is just a bunch of grunts(spoken) or squiggles(written) with agreed upon meanings...yes. As long as the meaning the speaker intended is imparted to the listener, they served their purpose.